With Bring Your Own Biometrics (BYOB), Indicio Proven allows you to add authenticated biometrics to a Verifiable Credential (VC). This means biometrics can be verified without having to store biometric data, liveness checks can be double checked to mitigate AI fraud, and biometric data can be bound to biographical details, making your biometric solution much more powerful.
By: Trevor Butterworth
Biometrics for identity verification have spread rapidly over the past few years making authentication fast and convenient. But a confluence of challenges, not least the arrival of deepfakes, means it’s time for biometric authentication to evolve. The good news is that with Indicio Proven’s “Bring Your Own Biometrics” (BYOB), it’s easy, it won’t cost the earth, and it will significantly enhance how biometrics are used and expand what they can be used for, benefiting everyone.
Here are three ways BYOB powers Bio.
1. Lack of integrated biographic data reduces efficiency
A biometric scan is a quick and seemingly reliable way to confirm that someone’s face, fingerprint, iris, retina, or voice match a record in a database. But without biographic data, this verification lacks context. Organizations must manually cross-check biometric results with separate records and information about the person, slowing down authentication processes and increasing the risk of mismatches.
For example, if a company uses facial recognition for secure facility access but does not integrate biographic data, employees may face unnecessary delays due to system errors or lack of context about their access rights.
Indicio Proven and BYOB solve this by giving organizations the ability to add a biometric template to a Verifiable Credential. This means that after, say, the identity assurance process for employee onboarding, that employee can hold their biometric data on their mobile device in a way that makes the information tamper-proof and easily shareable for verification, anywhere at any time.
The verifying party can be certain about the identity of the organization that issued the template — the employer, for example, can know that it issued the template — and that the template has been bound to the identity of the person its data describes.
This simplifies biometric security because, now, the employer doesn’t have to store employee biometrics in order to verify the identity of its employees, and it also enables the employer to add other useful information about the employee to the biometric credential, such as which systems or facilities they have access to.
For example, you could configure least privileged remote access to a network with biometric authentication and do so in a way that avoids the risk of generative AI biometric identity fraud, as each liveness check would require the simultaneous presentation of an authenticated biometric from a credential.
2. Simplifying compliance with GDPR, advancing eIDAS
Biometrics are a special category of personal data under the European Union’s General Data Protection Regulation (GDPR), which means that biometric data can only be processed under specific conditions, where there is a legal obligation or public interest.
At the same time, biometrics are increasingly being used for formal identity purposes, particularly around payments and travel, but neither eIDAS, the EU’s digital identity framework, nor EUDI, the European Digital Identity regulation for an EU digital wallet cover these biometric credential and wallet-based use cases.
This is where Indicio Proven’s BYOB provides a model for meeting GDPR on biometric security — and a model for implementing portable biometric digital identity in EUDI.
Under GDPR, biometric data must be encrypted at rest and in transit, “ensuring,” as noted by the EU’s GDPR Register, “that even if data is accessed by unauthorized parties, it remains unreadable.”
With Indicio Proven BYOB, the person is issued an encrypted biometric template to store in their digital wallet. This data doesn’t need to be stored by anyone else in order to be cryptographically verified. This removes a critical security weakness in biometric processing — storing biometric data in a database to process it. And if it doesn’t need to be stored, it can’t accessed by any unauthorized person.
The significance of BYOB to eIDAS and EUDI is that it opens a seamless, secure route to using biometrics for a much wider range of authentication purposes. If a liveness check must be accompanied by an authenticated biometric presentation from a credential, you have a simple way to apply the highest level of authentication for any kind of access. There’s no need to store biometric data because processing maximizes data minimization; and because a liveness check must be backed by a BYOB presentation, the subject must explicitly consent to the processing.
All of this is quick and easily auditable.
And — as in the first section — you can add and bind lots of useful information to a biometric authentication.
BYOB is the most efficient way for eIDAS and EUDI to meet the market needs of biometrics and GDPR.
3. “Fake you” broke the law
Biometric systems are often marketed as precise when they are probabilistic. We know they can produce false positives — they can misidentify people. Similarly, they can produce false negatives — they fail to identify people. The US National Institutes of Standards and Technology has set benchmarks for accurate identification at one error per hundred thousand tests; one expert says the reality is more than one error per hundred, depending on the system.
Biometrics can be spoofed. From stealing fingerprints to using a photo to fake a liveness check to using generative AI to create “deepfake” audio and images. There’s an authentication-biometric fraud arms race.
Biometrics systems are also at risk of bias either from technical limitations in recording the biometric (such as registering skin tones) or from the way the biometric data might be analyzed and processed, especially from AI. Some people do not have fingerprints, or have spent years working jobs where their fingerprints have worn down. Wearing glasses may decrease the accuracy of biometric scans; disability may prevent using biometric systems altogether. There are a multitude of sensitive and potentially discriminatory issues around implementation.
BYOB solves all these problems by providing a fully portable way to cross check a biometric scan AND provide contextual information around the person’s identity — all in a secure, privacy-preserving way that’s easy to implement and easy for everyone to use.
Indicio’s BYOB = biometrics 2.0
Biometric authentication is convenient and powerful and people want to be able to trust it and use it— but it’s still flip phone tech for a smart phone era. With Indicio Proven BYOB, we’re taking biometrics to the next level, one where biometrics can be used more widely and more usefully and more securely than current systems can possibly deliver.
Contact us to learn how we’re implementing BYOB for critical biometric use cases around the world and to discuss how your use case can benefit.
###
